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Abstract. In 2001, Rivest et al. firstly introduced the concept of ring 
signatures. A ring signature is a simplified group signature without any 
manager. It protects the anonymity of a signer. The first scheme proposed 
by Rivest et al. was based on RSA cryptosystem and certificate based 
public key setting. The first ring signature scheme based on DLP was 
proposed by Abe, Ohkubo, and Suzuki. Their scheme is also based on the 
general certificate-based public key setting too. In 2002, Zhang and Kim 
proposed a new ID-based ring signature scheme using pairings. Later Lin 
and Wu proposed a more efficient ID-based ring signature scheme. Both 
these schemes have some inconsistency in computational aspect. 
In this paper we propose a new ID-based ring signature scheme and a 
proxy ring signature scheme. Both the schemes are more efficient than 
existing one. These schemes also take care of the inconsistencies in above 
two schemes. 

Keywords: Cryptography, Digital Signature, Ring Signature, Bilinear 
pairings, ID-based. 



1 Introduction 

The concept of ring signature was introduced by Rivest, Shamir and Tauman in 
[?]. The ring signature allows a user from a set of possible signers to convince 
the verifier that the author of the signature belongs to the set but identity of the 
author is not disclosed. The ring signature may be considered to be a simplified 
group signature which consists of only users without the managers. It protects 
the anonymity of a signer since the verifier knows only that the signature comes 
from a member of a ring, but doesn't know exactly who the signer is. There is 
no way to revoke the anonymity of the signer. 



Unlike the group signature schemes the ring signature scheme requires neither 
a group manager, nor a setup procedure, nor the action of non-signing members. 
For signing any message to, the signer may choose random set of other possible 
signers including himself, to produce a valid ring signature. This signature does 
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not reveal the identity of the signer but it may be verified with this signature that 
the signer belong to the possible signers set. There is no revocation manager. 
This allows unconditional anonymity of signer. 

Ring Signature with Proxy Signatures: The proxy signature scheme was intro- 
duced by Mambo et al. in 1996. These allow a proxy signer to sign on behalf of an 
original signer. After Mambo et al. many proxy signature schemes have been pro- 
posed |9I1()I12| . Proxy signature may be combined with other special signatures 
to obtain new type of the proxy signatures. Various schemes like multi-proxy 
signature scheme [8], threshold proxy signature scheme, proxy blind signature 
scheme [?] etc. have been proposed. 

Suppose an original signer delegates its signing capability to a number of proxy 
signers, such that any proxy signer may produce a valid proxy signature for 
some message m. To achieve anonymity of these proxy signers we may use ring 
signatures. We, therefore, combine the idea of proxy signature with ring signature 
and get a new type of signature - proxy ring signature. 

In 1984, Shamir |TJ introduced ID-based encryption and signature schemes to 
simplify key management procedures in certificate-based public key setting. Re- 
cently, many bilinear pairings based ID-based signature schemes were developed. 

|ll2lal4ISl6iyil:ill4| 

In this paper we propose a new ID-based ring signature scheme and also an ID- 
based proxy ring signature scheme. Both schemes are more efficient than existing 
schemes. 

2 Overview of Ring Signatures 

In this section we follow formalization proposed by Rivest et al. [?] 

Definition 1. Assume that each user has a secret key Si and its corresponding 
public key Pi. Let < P r > denotes the set of possible signer where r is number 
of users listed in the set. Then ring signature scheme consists of the following 
algorithms - 

— Ring Sign- A probabilistic algorithm which takes a message m, secret key Sk 
of signer, and the possible signers set < P r > as input and produces a ring 
signature a for the message m 

— Ring Verify- A deterministic algorithm which takes a message m, the possible 
signers set < P r > and the ring signature a as input and returns either TRUE 
or FALSE. 

2.1 Properties 

A ring signature must satisfy the usual correctness and unforgeability property. A 
fairly generated ring signature must be accepted as valid with higher probability; 
and it must be infeasible for any other user to generate, except a very little 
probability e, a valid ring signature with the ring he does not belong to. 
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Signature must be anonymous, so that no verifier should be able to guess the 
actual signer's identity with probability greater than 7 + e, where r is ring size 
and e is however small. 

Since the possible signer set is randomly chosen and is not predetermined, it 
should be a part of signature. 

2.2 Combining Function 

The concept of Ring signature is derived from an abstract concept called Com- 
bining Function. 

Definition 2. A combining function Ck, v (yi, 2/2, — , Un) takes as input a key k, 
an initialization value (also refereed as glue value) v, and an arbitrary values 
2/1)2/2, — ,2M S {0, l} b . It produces z G {0, l} b , such that for any fixed values 
k,v, any index s and fixed value of {yi}i^ s , Ck, v is a permutation over {0, l} b , 
when seen as a function ofy s . This permutation is efficiently computable as well 
as its inverse. 

2.3 Rivest et al.'s Ring signature scheme 

Ring signature generation: Given a message m to be signed, signer's secret 
key Sk, and the possible signers' public keys sequence Pi, P 2 , P r of all ring 
members, the signer computes the ring signature as follows. 

1. Choose a key : The signer computes, using a publicly known hash function 
h 

k = h{m,P 1 ,P 2 ,...,P r ) 

2. Pick a random glue value : The signer picks an initialization value 

ve R {0,l} b 

3. Pick random x^s : The signer picks an random Xi for all other ring mem- 
bers uniformly and independently from {0, l} b , and computes yi = gi(xi) 

4. Formation of ring : The signer solves the ring equation for y^: 

Cfc,„(2/l,2/2, -,2/n) = v 

and using knowledge of his trapdoor he gets Xk from yk- 

5. Output the ring signature : The ring signature on message m is defined 
to be the (2r + 1) tuple: 

(Pi,P 2 , ...,P r ;v;x 1 ,x 2 , ...,x r ) 
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Ring signature verification: On receiving (Pi, Pj, P r ; v; x%, X2, ...,x r ) as 
the ring signature on message to, the verifier can verify as follows. 

1. Apply trapdoor permutation : verifier computes for each i, yi = gi(xi) 

2. Key computation : computes k — h(m, Pi, P2, P r ) 

3. Verify the ring equation : The verifier checks if 

C k ,v(yi,V2, -jj/n) = v 

If the ring equation is satisfied, the verifier accepts the signature as valid 
otherwise rejects. 

3 Bilinear Pairings 

Let Gi cyclic additive group generated by P, whose order is a prime q, and G2 
be a cyclic multiplicative group of the same order q: A bilinear pairing is a map 
e : Gi x Gi — > G2 with the following properties: 
PI: Bilinear: e{aP,bQ) = e{P,Q) ab ; 

P2: Non- degenerate: There exists P,Q £ Gi such that e(P, Q) 7^ 1; 

P3: Computable: There is an efficient algorithm to compute e(P, Q) for all P,Q £ 

Gi. 

When the DDHP (Decision Diffie-Helhnan Problem) is easy but the CDHP 
(Computational Diffie-Hellman Problem) is hard on the group G; we call G a 
Gap Diffie-Hellman (GDH) group. Such groups can be found on supersingular 
elliptic curves or hyperelliptic curves over a finite field, and the bilinear parings 
can be derived from the Weil or Tate pairing. 1 11417) 

4 Proposed ID-based Ring Signature Scheme (IDBRS) 

Setup : Let P is a generator of Gi; e : Gi x Gi — > G2 is a bilinear pairing. 
Pi : {0,1}* — ► z*, H 2 : {0,1}* — > Gi and H 3 : G 2 — > z* are crypto- 
graphic hash functions. Key Generation Center (KGC) chooses a random num- 
ber s S Z* and sets Pp u b — sP. The KGC publishes the system parameters 
{Gi, G2, e, q, P, Ppub, Pi, P2} and keeps s as the master key. 

Extract : An user submits its identity information ID^ to KGC. KGC publishes 
the public key Qk = H2(IDk) and returns Sk = sQk to the user as his/her 
private key. 

Ring signature generation: Given a message m to be signed, signer's secret 
key Sk, and the possible signers' public keys sequence L — {IDi,ID 2 , ...,ID r ) 
of all ring members, the signer computes the ring signature as follows. 



1. Choose a key : K = Pi(m||L). 
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2. Pick a random glue value : The signer picks a random A e G\ and 
computes the initialization value 

v = c k = e(A, P) K 

3. Pick random Tj's : The signer picks a random Tj for all other ring members 
uniformly and independently from Gi, and computes 

c 4+ i = [e(P Pub ,H 3 (c i )Q i ).e(T i ,P)] K 

4. Formation of ring : The signer solves the ring equation for y k . when % = k, 
we get 

c k+1 = [e(P Pub , H 3 (c k )Q k ).e(T k , P)] K = v 
On solving this ring equation we get 

T k = A - H 3 (c k )S k 

Now compute T = £ T t 

5. Output the ring signature : The ring signature on message m is the tuple 

(i;ci,c 2 , ...,c r ;T) 

Ring signature verification: On receiving the ring signature (L; ci,c 2 , ...,c r ;T) 
on message m, the verifier can verify as follows. The verifier computes 

K = H 1 {m\\L). 

and checks if 



n iCl = [e{P Pvb ,S i {H 3 (c i )Q i )).e{T,P)] 



K 



If the equation is satisfied, the verifier accepts the signature as valid otherwise 
rejects. 

5 Analysis of IDBRS 
5.1 Correctness 

From ring signature generation protocol - 

c l+1 = [e(P Pub ,H 3 (c t )Q l ).e(T t ,P)] K 

n r l=0 c l+1 = n^ [e(P Pub ,H 3 (c l )Q l ).e(T l ,P)] K 
77[ =0 c i+ i - [ni =0 e(P Pub ,H 3 (c i )Q i ).ni =0 e(T i ,P)] K 
IIl= c i+1 = [e(P Pub ,Sl =0 (H 3 (c i )Q i )).e(SU T i ,P)] K 
n iCi = [e(P Pub ,S l (H 3 (c l )Q l )).e(T,P)} K 
which hold true, since we have c r+ i = c 
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5.2 Security 

The proposed ID-based ring scheme holds unconditionally signer-ambiguity, as 
all Ti but Tfc are taken randomly from G\: In fact, at the starting point, the Tk 
is also distributed uniformly over G\, since A is randomly chosen from G\. We 
fix a set of identities, denoted by L. 

Suppose that A is an adversary whose identity ID a is not listed in L, but 
he wants to forge a valid ring signature. A can either forge a valid signature of 
a user whose identity IDk is listed in L or executes the following experiment: 

1. A queries Extract qe , (?e > 0) times with known parameters and IDi, 
which does not not belongs to L,for i = 1,2,..., qE- The query Extract 
returns the qE corresponding secret key such that Si = sH2(IDi) = sQi . 

2. He Chooses randomly an integer cq G Z* 

3. He runs ring signature generation protocol's third step for i = 0, 1, r — 2, 
where r = \L\ 

4. Assigns c = [e{P Pub , H s {c k -i)Qk-i)-e{ T k^i, P)] K 

5. Outputs the ring signature (L; ci, C2, cv; T) 

After running Step 1 of the above experiment, A gets {Si, S%, S qE }, a set of 
secret keys . Suppose he gets a pair (ID m ,S m ) such that ^(^m) = H 2 (IDj), 
where IDj 6 L, then he can forge a valid ring signature. But since H 2 is 
random oracle and Extract generates random numbers with uniform distribu- 
tions. This implies that A gets nothing from query results. #3 is random oracle 
and all Ti are taken randomly from G\. This implies that the probability of 
c = [e(Pp u b, i?3(cfe_i)Qfe-i).e(Tfe_i, P)] K to be true is K So we can say that 
the proposed scheme is non-forgeable. 

5.3 Efficiency 

The proposed ring signature scheme works under the environment of supersingu- 
lar elliptic curves or hyperelliptic curves. The essential operation in our ID-based 
signature schemes is to compute a bilinear pairing. 

We denote by P, the cost of computation a bilinear pairing, Aq 1 the cost of 
addition in Gi , Mq 1 cost of multiplication in Gi , Mq 2 cost of multiplication in 
G2 and cost of multiplication in Z q by Mz q ■ The cost of hashing is denoted by 
H. We shall not consider exponentiation as it can be reduced in addition in G\. 
We ignore the cost of computation of ff 2 (-f-D) 

In our opinion both the first two schemes discussed in Table ^ are having 
inconsistency in the computational procedure. As in Zhang's scheme |13| . in 
initialization, Ck+\ = H (L\ \m\ \e(A, P)) has been computed, which is incorrect. 
H is defined in their paper as H : {0, 1}* — > Z q . But in computation of Ck+i, the 
pairing e(A, P) had used, which belongs to V (according to their notation), not to 
Z q . This shows their Ck+i computation is taken incorrectly. We may remove this 
inconsistency by applying a newly defined hash function as H4 : Gi — > {0, 1}*. 
If we modify their scheme's in this way, computational cost of their scheme 
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Table 1. Comparison of computational cost with existing schemes. 





Signature Generation 


Verification 


Zhang's Scheme 


(2n - 1)P + nH + nA Gl 
+nM Gl + (n - 1)M G2 


2nP + + nM Gl + nM G2 


Lin's Scheme 


(2n- 1)P + H + nA Gl 
+ (2n - l)M Gl + nM G2 


2P + H+(n- l)A Gl 
+{n+l)M Gl +nM G2 


Proposed Scheme 


(2n - l)P + nH + (n + l)A Gl 
+2nM Gl + (n - 1)Mq 2 


2P + (n + l)H + (n + l)A Gl 
+ (n + l)M Gl + (n - l)M Zq + M G2 



increases by a factor nH in signature phase and by a factor of nH in verification 
phase. A very similar mistake is in Lin's scheme [?] is made. In Equation 3, they 
have computed c a +i = e(A, P). This implies that the c a +i is an element of G2, 
but they have treated it as element of Z q in equation 4 and also in equation 5. 
(If P G G2 and Q G G\ then P.Q is not defined.). If we define a hash function 
H5 '■ G2 — > Z q , computational cost of this scheme is also increased by a factor 
nH in signature generation phase and also nH in verification phase. Our scheme 
does not contain such inconsistency and also is more efficient. 

6 ID-based Proxy Ring Signature Scheme (IDBPRS) 
6.1 Delegation Function due to Zhang et al. |14j 

Here an original signer with secret key- public key pair (x a , PK Q ) wants to 
delegate signing power to proxy signer with secret key- public key pair [x p , PK p ). 
System parameters are {G\, G2, e, q, P, Hi, H2}. The original signer runs the 
following protocol - 

— The original signer prepares a warrant message consist of explicit descrip- 
tion of the delegation relation, warrant message also contains some identity 
information of the proxy signer. 

— The original signer computes x ow — x Q H2 (w) and sends (x ow , w) to the 
proxy signer. 

— Proxy signer checks e(x ow ,P) = e(H2{w),PK ). If it holds, he computes 

w). 

Above protocol can be regarded as PKGen (Proxy key generation protocol) in 
proxy signature scheme. In this delegation proxy signer will use x w as secret 
key and PK Q + PK p as public key. Now proxy signer may use any ID-based 
signcryption scheme from pairing (takes the ID public key as H2(w) and secret 
key x w and the public key of trusted authority as PK Q + PK p ) to get proxy 
signcryption scheme. Security of above protocol is discussed in |14j. 

7 A New Proxy Ring Signature Scheme from Pairings 

[Setup] The system parameters params = {Gi, G2, e, q, P, Hi, H2] Let Alice 
be the original signer with public key PK Q = s P and private key s , and 



8 Amit K Awasthi and Sunder Lai 



L = {PSi} be the set of proxy signers with public key PK Pi = s Pi P and private 
key s Pi . 

[Proxy Key Generation] The original signer prepares a warrant w, which is 
explicit description of the delegation relation. Then he sends (w, s Q H 2 (w)) to 
the proxy group L. Each proxy signer uses his secret key S Pi to sign the warrant 
w and gets his proxy key Si = s Q H 2 {w) + s Pi H 2 (w). 

[Proxy Ring Signing] For signing any message m, the proxy signer PSi chooses 
a subset L' C L. Proxy signers's public key is listed in L' . Now to sign he/ she 
perform following operations: 

— Initialization: Choose randomly an clement A £ Gi, compute 

c k+1 =e{A,P) (1) 

— Generate forward ring sequence For i = k + l,k + 2, ....k+(n — 1) choose 
randomly T, e Gi and compute 

Ci+i - e(PK + PK Pt ,H 3 ( Cl )H 2 (w)f 2{mllL) .e(Ti,P) (2) 

— Forming the ring: Let R n = R Q . Then, PSi computes 

Ti = A-h 2 (m || L)H 3 (ci)Si, (3) 

T = S^Ti (4) 

— Output: Finally, Let c n = cq. The resulting ring signature for a message m 
and with ring member specified by L' is the (n + l)-tuple:(ci, c 2 , ...,c n ,T) 

[Verification] Given message m, its ring signature (c\, c 2 , c n , T), and the 
set L' of the identities of all ring members, the verifier can check the validity of 
the signature by the testing if: 

TT^iCi = e(PK + PK Pt ,ZZ =1 H 3 (c i )H 1 (w)) Ha ™ L) .e(T,P) (5) 
8 Analysis 

Key Secrecy In computing user P^s private key Si from the corresponding 
public key PK a + PK Pi requires the knowledge of original signer's private key 
s and proxy signer's private key s Pi . According to definition these keys are 
protected under the intractability of DLP in G\ as PK a = s a P and PKp i = 

Sp^P- 

Signer ambiguity In a valid proxy ring signature (c\,c 2 , ...,c n ,T) with proxy 
group V generated by PSi all Ci's are computed by eq 2. Since Ti 6 G\ is chosen 
uniformly at random, each a is uniformly distributed over G 2 . Thus, regardless 
who the actual signer is and how many ring members involved (ci, c 2l c n ) 
biases to no specific ring member. Other discussion are very similar as in previous 
sections. 
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9 Conclusion 

In this paper we proposed a new ID-based ring signature scheme from bilinear 
pairings. This scheme removes deficiencies in existing schemes. In this paper we 
proposed a new and a proxy ring signature scheme which, whenever proxy signer 
want to sign message on behalf of the original signer provide anonymity. The 
proposed scheme is more efficient than the scheme of Zhang et al.'s, especially 
for the pairing operation required in the signature verification. This proxy ring 
signature scheme is more efficient for those verifiers who have limited computing 
power. 
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